Modify

Opened 5 years ago

Closed 4 years ago

Last modified 4 years ago

#6520 closed enhancement (fixed)

Form-based authentication support

Reported by: anonymous Owned by: roadrunner
Priority: normal Component: HudsonTracPlugin
Severity: normal Keywords:
Cc: mariuszs, hetslov@…, chris@… Trac Release: 0.11

Description

Hi roadrunner,

first thanks for the plugin! I just secured hudson and now i am getting a 403 error when i want to see the Timeline (Hudson Builds event provider (HudsonTracPlugin) failed ... HTTPError: HTTP Error 403: Forbidden. This most likely means you configured a wrong job_url.)

Configuration:

  • hudson with ldap login, running on tomcat (windows). manual login works fine.
  • trac on ubuntu. connection with unsecured hudson works fine.

-> username/password is correct, i double-checked it. I also tried the no_chal patch wihtout success. Any ideas what i may try/check?

Thanks!

Attachments (0)

Change History (15)

comment:1 Changed 5 years ago by roadrunner

If had a wrong username/password you'd be seeing 401's; 403 means the
user is not allowed to see that URL. The exact URL being retrieved is
logged as part of the error - did you try exactly that URL manually?
Since you say that it works with unsecured hudson, I'm presuming the
job_url is therefore correct; in that case it looks like you've
configured hudson to restrict access too much - try playing around
with the permissions (I'm presuming you're using matrix-base security?).

comment:2 Changed 5 years ago by anonymous

Thanks for the quick reply!

I tried to put the URL directly into the adress-bar of my browser: It loaded the authetication-site from hudson and after providing my credetials it showed the xml. All good here.

Next thing I tried is to provide a false username/password in my trac.ini -> Still a 403 error! no 401 at all...

You are right, I am using matrix configuration (project-based). But I granted all rights to the user I want to use for trac integration, so that sould not be the problem.

Any more ideas what i could try or debug?

thanks for any help!

comment:3 Changed 5 years ago by anonymous

I have this same problem. Project based matrix configuration, LDAP auths and all roles asigned to trac user. I can open list of builds by hands.

HTTP Error 403: Forbidden

comment:4 Changed 5 years ago by anonymous

  • Cc mariuszs@… added

comment:5 Changed 5 years ago by roadrunner

I need a some more details (sorry, don't have time to set up a site to
test this right now): what do you mean "it loaded the
authentication-site"? Does it show you a page with a form to enter
username and password, or does it pop up the browser's
username/password dialog? If the former, then that's the issue: this
plugin only supports http authentication, not form-based
authentication.

comment:6 Changed 5 years ago by mariuszs

I think "it loaded the authentication-site" is about hudson form login when build list was accessed by hand.

Two diffrent users report this problem.

comment:7 Changed 5 years ago by mariuszs

"this plugin only supports http authentication, not form-based authentication."
Hmm, I think form based authentication in hudson is more common and easy to set up than http authentication. Please add this info to plugin homepage, because this plugin is useless now for most of users.

comment:8 Changed 5 years ago by mariuszs

More, switching from form based login to http authentication is not possible. With form based authentication, project based matrix security setup and LDAP configuration Hudson can read user roles from LDAP and assingn permission to jobs. This cant be done with http authentication.

comment:9 Changed 5 years ago by mariuszs

  • Cc mariuszs added; mariuszs@… removed

comment:10 follow-up: Changed 5 years ago by steve

Hi,

thanks for the replies, i am the anonymous who started this topic ;-)

As mariuszs said when you use ldap-authentication in hudson (which we need in our setup to give permissions to ldap-groups for jobs) there is only form-based authentication (at least i cant find other options...).

Maybe change the type to enhancement (add form based authentication support)? Or are there any ideas for a workaround?

Many thanks,
Steve

comment:11 in reply to: ↑ 10 Changed 5 years ago by roadrunner

  • Summary changed from 403 Error to Form-based authentication support
  • Type changed from defect to enhancement

Replying to steve:

As mariuszs said when you use ldap-authentication in hudson (which
we need in our setup to give permissions to ldap-groups for jobs)
there is only form-based authentication (at least i cant find other
options...).

Ok, that sucks. Maybe hudson could use an enhancement here.

Maybe change the type to enhancement (add form based authentication
support)?

I'm changing the ticket.

If the form doesn't using any sort of form-token (xss protection) and
the login-url is well-known (e.g. can be reliably computed from the
job_url) then is probably easy enough to implement; otherwise it'll
need some html-parsing etc too - yuck. In any case it'll be a few weeks
before I can work on this. Unless somebody else wants to take a stab at
it.

comment:12 Changed 4 years ago by netslow

So, what about form based authentication support?

comment:13 Changed 4 years ago by anonymous

  • Cc hetslov@… added

comment:14 Changed 4 years ago by anonymous

  • Cc chris@… added

comment:15 Changed 4 years ago by roadrunner

  • Resolution set to fixed
  • Status changed from new to closed

(In [7895]) Added support for hudson's form-based authentication.

This is based on a modified version of the patch submitted to #6332.
Instead of requiring the user to configure yet another option, Hudson's
403 response is used to trigger the pre-emptive sending of auth info.
This is only very slightly less secure than the config option, and only
so in scenarios where the authentication for Hudson was using Digest auth
but due to some config change Hudson is now returning a 403 - in this case
the plugin will start sending the (essentially cleartext) username and
password which could possibly now be snooped.

This closes #6332 and #6520.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.